-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathcontainer_scan.go
More file actions
181 lines (147 loc) · 5.77 KB
/
container_scan.go
File metadata and controls
181 lines (147 loc) · 5.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
package cmd
import (
"fmt"
"os"
"os/exec"
"regexp"
"strings"
"codacy/cli-v2/utils/logger"
"github.com/fatih/color"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
// validImageNamePattern validates Docker image references
// Allows: registry/namespace/image:tag or image@sha256:digest
// Based on Docker image reference specification
var validImageNamePattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$`)
// Flag variables for container-scan command
var (
severityFlag string
pkgTypesFlag string
ignoreUnfixedFlag bool
)
func init() {
containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)")
containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)")
containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities")
rootCmd.AddCommand(containerScanCmd)
}
var containerScanCmd = &cobra.Command{
Use: "container-scan [FLAGS] <IMAGE_NAME>",
Short: "Scan container images for vulnerabilities using Trivy",
Long: `Scan container images for vulnerabilities using Trivy.
By default, scans for HIGH and CRITICAL vulnerabilities in OS packages,
ignoring unfixed issues. Use flags to override these defaults.
The --exit-code 1 flag is always applied (not user-configurable) to ensure
the command fails when vulnerabilities are found.`,
Example: ` # Default behavior (HIGH,CRITICAL severity, os packages only)
codacy-cli container-scan myapp:latest
# Scan only for CRITICAL vulnerabilities
codacy-cli container-scan --severity CRITICAL myapp:latest
# Scan all severities and package types
codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest
# Include unfixed vulnerabilities
codacy-cli container-scan --ignore-unfixed=false myapp:latest`,
Args: cobra.ExactArgs(1),
Run: runContainerScan,
}
// validateImageName checks if the image name is a valid Docker image reference
// and doesn't contain shell metacharacters that could be used for command injection
func validateImageName(imageName string) error {
if imageName == "" {
return fmt.Errorf("image name cannot be empty")
}
// Check for maximum length (Docker has a practical limit)
if len(imageName) > 256 {
return fmt.Errorf("image name is too long (max 256 characters)")
}
// Validate against allowed pattern
if !validImageNamePattern.MatchString(imageName) {
return fmt.Errorf("invalid image name format: contains disallowed characters")
}
// Additional check for dangerous shell metacharacters
dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""}
for _, char := range dangerousChars {
if strings.Contains(imageName, char) {
return fmt.Errorf("invalid image name: contains disallowed character '%s'", char)
}
}
return nil
}
// getTrivyPath returns the path to the Trivy binary or exits if not found
func getTrivyPath() string {
trivyPath, err := exec.LookPath("trivy")
if err != nil {
logger.Error("Trivy not found", logrus.Fields{"error": err.Error()})
color.Red("❌ Error: Trivy is not installed or not found in PATH")
fmt.Println("Please install Trivy to use container scanning.")
fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/")
os.Exit(1)
}
logger.Info("Found Trivy", logrus.Fields{"path": trivyPath})
return trivyPath
}
// handleTrivyResult processes the Trivy command result and exits appropriately
func handleTrivyResult(err error, imageName string) {
if err == nil {
logger.Info("Container scan completed successfully", logrus.Fields{"image": imageName})
fmt.Println()
color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
return
}
if exitError, ok := err.(*exec.ExitError); ok && exitError.ExitCode() == 1 {
logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{
"image": imageName, "exit_code": 1,
})
fmt.Println()
color.Red("❌ Scanning failed: vulnerabilities found in the container image")
os.Exit(1)
}
logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error()})
color.Red("❌ Error: Failed to run Trivy: %v", err)
os.Exit(1)
}
func runContainerScan(cmd *cobra.Command, args []string) {
imageName := args[0]
if err := validateImageName(imageName); err != nil {
logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
color.Red("❌ Error: %v", err)
os.Exit(1)
}
logger.Info("Starting container scan", logrus.Fields{"image": imageName})
trivyPath := getTrivyPath()
trivyCmd := exec.Command(trivyPath, buildTrivyArgs(imageName)...)
trivyCmd.Stdout = os.Stdout
trivyCmd.Stderr = os.Stderr
logger.Info("Running Trivy container scan", logrus.Fields{"command": trivyCmd.String()})
fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
handleTrivyResult(trivyCmd.Run(), imageName)
}
// buildTrivyArgs constructs the Trivy command arguments based on flags
func buildTrivyArgs(imageName string) []string {
args := []string{
"image",
"--scanners", "vuln",
}
// Apply --ignore-unfixed if enabled (default: true)
if ignoreUnfixedFlag {
args = append(args, "--ignore-unfixed")
}
// Apply --severity (use default if not specified)
severity := severityFlag
if severity == "" {
severity = "HIGH,CRITICAL"
}
args = append(args, "--severity", severity)
// Apply --pkg-types (use default if not specified)
pkgTypes := pkgTypesFlag
if pkgTypes == "" {
pkgTypes = "os"
}
args = append(args, "--pkg-types", pkgTypes)
// Always apply --exit-code 1 (not user-configurable)
args = append(args, "--exit-code", "1")
// Add the image name as the last argument
args = append(args, imageName)
return args
}